Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall - To pay or not to pay?


  • Please log in to reply
4 replies to this topic

#1 Droidling

Droidling

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 02 July 2014 - 11:49 AM

My CEO opened an IRS email with a .zip attachment, containing CryptoWall, on Friday June 20th. He didn't realize he had been infected for  5 days. By that time I was on vacation so he got his son (a sys admin at another company) to clean the virus off the computer. Of course all of his files were still encrypted.  The virus also got into a network share that had his online backups. They tried "restore previous version" on the Windows 7 computer and got a few files back. Then they tried restoring his my documents folder. The son believes there was not enough disk space which caused the restore to crash, and corrupt the windows shadow data. Now the OS is saying there are no previous versions to restore.  The offline backup is old enough that the CEO wants to just pay the money to get his files back. I have a lot of misgivings about that.  I know the ethical choice, but if I can't find a practical reason, I may not have a choice.

 

 

I have a lot of questions. The main ones are:

Is it possible to reverse the failed "restore previous versions" and go back to recovering the files a few at a time?

 

If we send $1000 to the ransomeware criminals, what are the chances that we will actually get the data back.

 

Can I avoid getting further infections in the process of sending payment getting the encryption keys and restoring the files.

        
As a question of forum etiquette, would it be double posting to start a separate thread on how I can avoid this type of thing in the future?  Same event, but a very different topic.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 02 July 2014 - 02:53 PM


CryptoWall is essentially a new variant of CryptoDefense.

A repository of all current knowledge regarding CryptoDefense is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoDefense does and provide information for how to deal with it and possibly decrypt/recover your files. At this time there is no fix tool for CryptoWall.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cederico

cederico

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 July 2014 - 08:43 AM

I'm in the same position than you... wondering if we must pay to bring back 2 weeks of work...

 

Have you solved your problems ? how ?



#4 Droidling

Droidling
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 July 2014 - 12:58 PM

I would like to close this in favor of existing topics suggested by quietman7. I can't find a way to mark it closed.

 

We decided not to pay, and just live with the lost data. I'm still hoping that someone may find a way to decrypt files without paying the ransom. If not, this was a hard way to learn about keeping off line backups.


Edited by Droidling, 21 July 2014 - 12:59 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 21 July 2014 - 04:10 PM

As a general rule BleepingComputer does not close (lock) topics in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users